My fix checks to see if they are logged in as admin before executing the query, and it directs them to the main page if they are not logged in. If they are an admin it will allow the query if you're not trying to create a God account, which youre not supposed to be able to do anyway.
Find in "admin/modules/authors.php": the $result line should be on one line and has been chopped up here to make it easy to read.
Yours was a good idea too. I'll implement that code too.
Anyways, if they tried creating a "God" admin, it would fail unless if you are already an admin. So if you are logged into your own site as an admin, the "exploit" will work.
The code uses the is_admin() function located in the mainfile that checks if your an admin and validates it with the database.
Anyways, thanks for your code.
Heres something else I just thought of. Maybe you could use something similar to the validation code for logins... Just a thought.
_________________ Original creator of
* Fetch Mod
* RPG Races Module
* 2 The Xtreme Theme
miniportal Nuke Cadet
Joined: Apr 18, 2004
Posts: 5
Posted:
Mon Apr 19, 2004 4:30 am
Of course right you are, but as I mentioned your patch was only against the 'God' admin, but the only difference between GOD and 'normal' Super-admin is just the fact that it can't be deleted from the admin menu, so it is easy to pass the patch. I found the weakness by making a mistake in the word 'God' in the exploit's url Luck
I thank you both for coming up with this ... I want to put it on site ASAP. I've been hacked twice in two days and just changed my index.php and admin.php names and locations until I could figure out what to do.
Forgive me for being a newbie ;o) But the code you have here some_random_password_only_you_know ...... do we replace that in ALL areas with our "whatever we only know" code?
Or do we leave it as is and change it only in certain places?
And finally ... where it says "header location" and alpha.shl.pl .... do we put our header file from the main (base) root in to replace that or the header in the admin panel?
Thanks very much!
miniportal Nuke Cadet
Joined: Apr 18, 2004
Posts: 5
Posted:
Tue Apr 20, 2004 5:28 am
1) there are two places to change - first is a hidden variable in your form, the second one check's if this variable is set. Of course the "whatever we only know code" must be the same
2) Header("Location: http://alpha.shl.pl"); line redirects the person trying to hack our site to the specified location. I use 'http://alpha.shl.pl', but you can for example use i.e.
Header("Location: index.php");
to redirect to your home
Header("Location: info_for_hacker.php");
to redirect to a page including an info, that CIA has the hacker's address and it's going to get him
or
Header("HTTP/1.0 404 Not Found");
to create a fake 'Error 404 - URL not found' message
1) there are two places to change - first is a hidden variable in your form, the second one check's if this variable is set. Of course the "whatever we only know code" must be the same
Okay,
Thank you so much. I really appreciate it.... as I'm sure 1,000's of others do right now too. You should have seen how they taunted me with the hack!
Posted on my site ..... saying "So you really think PHP-Nuke is secure" and "Patch Your site 1 minute after a bug report".
I think the hackers spend as much time reading these boards (probably more) than us regular users.
Oh .. the part I was curious about was the area where this is at:
I thought maybe the $ in front of the "some random" meant that it was defined somewhere else ... like in a language file .. and we left the variable here ... but that's what I get for thinking after two days of dealing with these hacks ;o)
Thanks very much again!
Take care.
chatserv General
Joined: Jan 12, 2003
Posts: 3128
Location: Puerto Rico
Posted:
Tue Apr 20, 2004 9:45 pm
If this thread refers to the addauthor hack a simple way to tackle it is to add to your admin.php right after the credits:
_________________ Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
b2phat Private
Joined: Oct 26, 2003
Posts: 37
Location: USA
Posted:
Tue Apr 20, 2004 10:23 pm
Okay ............
I'm getting there
I installed the protector system too and it is just AWESOME! I had no idea how advanced it was and how much control it gives you or I'd have installed it ages ago!
It already banned the person who hacked me yesterday some warex dude and his info was listed as *Union/ something or other. I guess he/they/it is well-known in the Nuke community because when I went to go look at the info on them, it said "You probably ALREADY know" .
I have a question though .... I was going into make sure that I didn't have any surprise "God" accounts again but got an sql syntax error when I clicked to go into admin.php?op=mod_authors. It happened after I added the fixes here, so I'm sure it's something simple but I can't find it.
Here's the error code:
Parse error: parse error in /home/user~/public_html/admin/modules/authors.php on line 408
And here is what I have on line 408:
Line 408: if(some_variable_only_I_know="the_same_variable_only_I_know") {
Line 409: Header("Location: http://alpha.shl.pl");
Line 410: exit;
Line 411: } else {
Can someone tell me where I screwed up? Do I have an extra ; or something in there?
Thanks much!
miniportal Nuke Cadet
Joined: Apr 18, 2004
Posts: 5
Posted:
Wed Apr 21, 2004 1:03 am
Line 408: if($some_variable_only_I_know!="the_same_variable_only_I_know") {
I am trying to add recreate my staff from the admin panel, because the field values didn't match from my saved backup.
But when I went to click submit ... I got redirected ;o)
I was logged in as "God" ... any ideas why that may have happened?
Thanks!
Waldo Nuke Soldier
Joined: Mar 16, 2004
Posts: 24
Posted:
Thu Apr 22, 2004 11:35 am
Question--
this "some_random_value_you_only_know" stuff-- if the random value is a hidden form value, then wouldn't anyone who can see the form be able to know what the value should be, and include it in the spoofed header? Or is it a thing where the form is never seen by the hacker prior to the hack attempt?
W
b2phat Private
Joined: Oct 26, 2003
Posts: 37
Location: USA
Posted:
Thu Apr 22, 2004 12:16 pm
Waldo wrote:
Question--
this "some_random_value_you_only_know" stuff-- if the random value is a hidden form value, then wouldn't anyone who can see the form be able to know what the value should be, and include it in the spoofed header? Or is it a thing where the form is never seen by the hacker prior to the hack attempt?
W
Hi Waldo,
I'm not sure about the answer to your question... but I do know that it's in the includes folder of admin ... and I tried to view source but couldn't see it.
But ... I downloaded the protector module from "War Center" and it accomplishes the same thing and protects your admin pages and just about everything else.
I installed the day after I was hacked .. and it's already recorded another "God Admin" violation attempt. And it stops them so cool! It sounds an alarm on their system ... then redirects them to where you choose (I chose www.FBI.gov) LOL. Then, it automatically bans them and adds them to your .htaccess file. It then emails you with a report and even tells you what the violation attempt was. In my case, they tried to use this url. ON second thought ... I'm not going to print the url .. but it's just a simple url that includes the name AddAuthors, God and superuser in it. Unbelievable that it was that simple for them to do that!
It is awesome! Gives you total control over everything ... even spiders!
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Luck 
